Expose and Secure a Workload with a Certificate

This tutorial shows how to expose and secure a workload with mutual authentication using TLS Gateway.

Prerequisites

• You have the Istio and API Gateway module added.
• You have a deployed workload.

  NOTE

  To expose a workload using APIRule in version v2, the workload must be a part of the Istio service mesh. See Enable Istio Sidecar Proxy Injection.

• You have set Up Your Custom Domain.
• Set up a mutual TLS Gateway and export the bundle certificates.
• Prepare a Client Root CA and certificate. For non-production environments, you can create your own self-signed Client Root CA and certificate.

Procedure

Access the Secured Resources

Call the secured endpoints of the HTTPBin Service.

In the following command, replace the name of the workload's subdomain and domain. Send a GET request to the Service with the client certificates that you used to create mTLS Gateway:

curl --key ${CLIENT_CERT_KEY_FILE} \
      --cert ${CLIENT_CERT_CRT_FILE} \
      --cacert ${CLIENT_ROOT_CA_CRT_FILE} \
      -ik -X GET https://{SUBDOMAIN}.{DOMAIN}/headers

If successful, the call returns the 200 OK response code. If you call the Service without the proper certificates or with invalid ones, you get the error 403 Forbidden.